Operation

Administrative Access

Using security.manager NEXT requires administrative privileges to sign in to ArcGIS Enterprise if a federated ArcGIS Server should be protected. This can be achieved either by assigning a user to the default role Administrator in ArcGIS Enterprise portal. Or, if you want to keep the granted rights to a minimum, define a custom role in the portal and assign the following privileges to it:

Version 10.8.1 and higher

Grant the administrative privilege Servers.

The user working with security.manager NEXT has to be assigned to the custom role.

It is possible that data (e.g. layer information) from a secured service cannot be displayed to you inside the Policy Explorer of the security.manager NEXT Manager UI. Instead, an indication that administrator privileges are missing is shown, although the privileges have been set recently before. In this case, please wait a few minutes until the current roles have been processed by the security.manager NEXT and then try again.

ArcGIS Server Memory Settings

Activating security.manager NEXT on an ArcGIS Server service increases the memory footprint of the corresponding SOC process. The amount of additional memory required depends on the size of data the service delivers as well as the actual security policy defined within security.manager NEXT. For example, the enforcement of more complex spatial filter geometries may require more memory.

To prevent request processing errors caused by the lack of memory, the security.manager NEXT CLI as well as the Manager UI check the amount of memory that is available to a service when activating the security.manager NEXT SOI for a service. For dedicated instances, the javaHeapSize property value of the service itself is checked as it determines the maximal available memory for that service. This is different for shared instances, where the javaHeapSize property of the DynamicMappingHost service (located in the System services folder) specifies how much memory an instance of the shared instance pool can use at most.

In either case, if it is not defined yet, security.manager NEXT sets the value to 256 MB. This ensures that the SOI will have enough memory available in most cases. If javaHeapSize is already defined, security.manager NEXT will leave the value untouched, even if it has a lower value.

Setting javaHeapSize on a service overrides the default SOC maximum heap size that is defined for an ArcGIS Server machine. This is usually set to 64 MB.

Please note that the effective maximal amount of memory a service or the instance pool may consume multiplies with the number of maximal instances defined.

Allow Offline Editing

By default, security.manager NEXT blocks replica-related operations on protected feature services. These operations are used to create local copies of data for offline use.

To allow replication of feature layer data, you have to enable the sync capability on the feature service. Additionally, you need to activate support for replica-related operations in the security.manager NEXT. You can activate replica support either

Limitations on Replica Support

Please note the following restrictions when defining permissions for sync-enabled feature layers:

  • When editing features of a replicated data set, those permissions apply, that were defined when the replica was created.

  • If you have changed the permissions after the creation of replicas, you should first delete all replicas on the server. This way you avoid, that replicas — created based on obsolete policies — might modify your database unwantedly.

  • If a policy for a service defines some layers as readonly and others as editable then the synchronization applies only for editable layers. Readonly layers won’t recieve any changes made on the server, once a replica is created. The synchronization for these "mixed" setups is only possible if the service supports "synchronization per layer".

In order to select data to be loaded into ArcGIS Field Maps the user must have access to all layers of the regarding web map. Create a custom web map for each group of users if the set of accessible layers varies between groups.

Note, that Offline Map Areas defined on a web map in Portal for ArcGIS in advance are not supported. Areas to be taken offline have to be defined in the ArcGIS Field Maps app.

Important:

  • Field restrictions on replicated data sets are not supported. In case a field restriction is defined in the corresponding policy, replica creation is disabled.

  • Replicas containing data of layers or tables that are part of an n-to-m relationship may expose data ignoring access restrictions you defined on the related data. Users might be able to modify data they are not supposed to have access to. As a consequence, you should refrain from publishing data with n-to-m relationships if it is intended to be used in ArcGIS Field Maps.

Integrated Windows Authentication

When operating security.manager NEXT in an environment with Integrated Windows Authentication (IWA) activated, you need to take care of some specifics in configuration and use.

ArcGIS Enterprise URLs

When installing security.manager NEXT you have to specify URLs to ArcGIS Server or ArcGIS Enterprise portal in the application.properties file. In an environment with Integrated Windows Authentication enabled, always use the URLs of the Web Adaptor, for example https://gis.example.com/arcgis or https://gis.example.com/portal, respectively. Do not specify the direct URLs, which use the ports 6443, 7443, 6080, and 7080.

CORS settings

You need to activate Cross Origin Request Sharing support in the Microsoft Internet Information Services (IIS), when all the following conditions apply to your setup:

  1. You are using an unfederated ArcGIS Server
    and

  2. security.manager NEXT Manager UI is available under a different hostname than ArcGIS Server.

In this case CORS is required to allow the Manager UI (https://security.example.com/secman-next, for example) to connect to the ArcGIS Server Administrator Directory (https://gis.example.com/arcgis/admin, for example).

To activate CORS in IIS, follow these steps:

  1. Install the IIS CORS Module if not done already.

  2. In C:\inetpub\wwwroot\<webadaptor>\Web.config add the following configuration:

    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="[ORIGIN_OF_SECURITYMANAGER]"
              allowCredentials="true" >
          </add>
        </cors>
    <system.webServer>

Replace [ORIGIN_OF_SECURITYMANAGER] with the base URL of the Manager UI (omit the /secman-next part). For example if the Manager UI is accessible as http://security.example.com/secman-next, insert https://security.example.com.

Using the CLI with a federated ArcGIS Server

If you are using security.manager NEXT CLI from a host that allows you to login to portal with IWA, please note the following specifics:

  1. Always activate the option --iwa when running any of the commands.

  2. When specifying an ArcGIS Server URL for the -d (--server-url) option, always use the Web Adaptor URL.

  3. You still need to specify token to successfully run any command except secmanctl login. When running secmanctl login, activate the option --iwa, and don’t specify a username or password.

Using the CLI with an unfederated ArcGIS Server

If you are using security.manager NEXT CLI from a host that allows you to login to ArcGIS Server with IWA, please note the following specifics:

  1. Always activate the option --iwa when running any of the commands

  2. When specifying an ArcGIS Server URL for the -d (--server-url) option, always use the Web Adaptor URL.

  3. You don’t need to specify a token when running a command. Hence, you don’t need to employ the command secmanctl login at all.

Upgrade of ArcGIS Enterprise from 10.x to 11.x

This section describes how to deal with the major version change of ArcGIS Enterprise from 10.x to 11.x

There is no SOI that supports both ArcGIS 10 and ArcGIS 11 simultaneously. Therefore, the security.manager NEXT SOI must be upgraded alongside ArcGIS Enterprise, which is described below.

If you install ArcGIS Enterprise 11 on a separate server, you can backup existing policies on your ArcGIS Enterprise 10 installation and restore them on the new ArcGIS Enterprise 11 installation with the security.manager NEXT CLI.

In-place upgrade

The upgrade of security.manager NEXT alongside ArcGIS Enterprise from 10.x to 11.x particularly concerns the SOI. Please perform the security.manager NEXT upgrade after the ArcGIS Enterprise upgrade. All services with security.manager activated will temporarily not be able to start after the ArcGIS- and before the SOI update.

  1. Backup existing policies on the ArcGIS Enterprise 10 installation so you can restore them in case of a loss of policies during the upgrade process.

  2. Perform the ArcGIS Enterprise Upgrade from 10.x to 11.x.
    As a result, all services with security.manager activated will be stopped. These services won’t be able to start before the SOI is updated.

  3. Sign in to ArcGIS Server Manager and navigate to the Site section. Open the Extensions area.

  4. Delete the installed SOE file for ArcMap (file name: ct-security-soi-arcmap.soe) via the Delete extension action.
    This is obsolete, as there is no ArcMap Runtime in ArcGIS 11.x anymore.
    Please note that when you delete the wrong SOE file, this will result in a loss of policies.

  5. Perform an upgrade of the installed SOE file for ArcGIS Pro via Edit extension action.

  6. Verify that the version of the upgraded extension shown in the column Display Name contains the version 1.6.0

  7. Sign in to the security.manager NEXT Manager UI and verify that security.manager is activated on all desired services in the Service Manager, indicated by the security.manager activated icon.
    You should also check that your policies are still present by clicking service menuEdit permissions for those services. If not, they can be restored with the policy backup.

  8. Start all desired services in the ArcGIS Server Manager.